Incorrect version information in Windows binaries

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Post Reply
/usr/local/dick
Posts: 2
Joined: 2012-03-22T07:20:50-07:00
Authentication code: 8675308

Incorrect version information in Windows binaries

Post by /usr/local/dick »

Hi guys

I just installed the latest version of the 16 bbp static x64 binaries on Windows from this location:
http://www.imagemagick.org/download/bin ... static.exe

However, the resulting binaries still list the previous version ("6.7.6", without the "-1"):

http://cajones.org/~visser/images/IM_ve ... smatch.png

This causes vulnerability scanners such as Secunia PSI to incorrectly detect the version and hence report a vulnerability, which in fact there is none.
Also, the installation directory has string "6.7.6" in it, but that might be intentional.

Thanks!!
davidows
Posts: 1
Joined: 2012-03-23T10:21:57-07:00
Authentication code: 8675308

Re: Incorrect version information in Windows binaries

Post by davidows »

I wish someone at ImageMagick would pay attention to this thread and the developers would stop publishing hot fixes and patched versions of the product without incrementing the File Version and Product Version.

Simply using the same version number, e.g. 6.7.6, but adding a "-1" in the Comment field of the file properties will continue to confuse ImageMagick users and annoy them when very worthwhile security scanners, e.g. Secunia PSI and CSI both detect and report the very same version number as the previous (AND INSECURE) version of the file.

This inconveniences even the knowledgeable user, who knows about this issue. That user becomes accustomed to seeing a false positive indication and never knows when the shelf icon might actually be reporting a NEW and VALID vulnerability in the product, without firing up the full Secunia interface and double clicking to see the details regarding ImageMagick.

The only alternative for the user is to exclude the offending file from detection, but that also risks not being notified of an actual vulnerability that's newer than the one just fixed.
User avatar
magick
Site Admin
Posts: 11064
Joined: 2003-05-31T11:32:55-07:00

Re: Incorrect version information in Windows binaries

Post by magick »

ImageMagick does not encode the minor patch level into the product version. Some vulnerability scanners rely on just the product version and produce a false positive. We consider this a bug in the vulnerability scanners. We may in the future include the minor patch level into the product version but given our to-do list of 1000+ items it may be some time. In the mean-time, all known security issues are addressed in the ImageMagick 6.7.6-4 release (scheduled release by tomorrow). For us humans, downloading http ://www.imagemagick.org/download/binaries/I ... ws-dll.exe, makes it easy to see that you are using ImageMagick version 6.7.6 patch release 4. For vulnerability scanners, they can extract the minor patch level from ImageMagick.rdf (which is designed for machine consumption).
User avatar
glennrp
Posts: 1147
Joined: 2006-04-01T08:16:32-07:00
Location: Maryland 39.26.30N 76.16.01W

Re: Incorrect version information in Windows binaries

Post by glennrp »

How about switching to a numbering scheme like this?
  • 6.7.6-0
    6.7.6-1
    6.7.6-2
    6.7.6-3
    6.7.6-4
    6.7.605
    6.7.606
    ...
    6.7.610
    6.7.700
    ...
    7.0.000
    7.0.001
    ...
That should make the virus-scanners happy and the humans happy too.
User avatar
anthony
Posts: 8883
Joined: 2004-05-31T19:27:03-07:00
Authentication code: 8675308
Location: Brisbane, Australia

Re: Incorrect version information in Windows binaries

Post by anthony »

NOTE what happens if we go to double digits on say the middle number?

See getting a version number for version compares
http://www.imagemagick.org/Usage/api/#scripts

Code: Select all

    IM_VERSION=`convert -list configure | \
         sed '/^LIB_VERSION_NUMBER /!d;
              s//,/;  s/,/,0/g;
              s/,0*\([0-9][0-9]\)/\1/g'`
converts a number like
6.7.5-7
to
06070507

I do not have the winodws equivelent.
Anthony Thyssen -- Webmaster for ImageMagick Example Pages
https://imagemagick.org/Usage/
/usr/local/dick
Posts: 2
Joined: 2012-03-22T07:20:50-07:00
Authentication code: 8675308

Re: Incorrect version information in Windows binaries

Post by /usr/local/dick »

Just manually uninstalled 6.7.6-1 and then installed 6.7.6-9 to overcome the various CVEs that came out recently...
As alwasy, file information still says 6.7.6 and PSI lists it as being vulnerable :(
But, since the software was installed in "C:\Program Files\ImageMagick-6.7.6-Q16", my PSI ignore rule keeps working :)
Post Reply